In today's high-tech, fast-paced, hyper-connected world, people are spending more and more time on the internet to complete more of their daily activities such as online banking and shopping. The convenience afforded by the access and availability of the online world is, however, not without drawbacks. This increased access has brought with it an unparalleled growth in online fraudulent activity.
Reports about identity takeover, filled with phrases like Trojan, Man in the Middle, Man in the Browser, and Phishing, are increasingly in the news. These emerging threats have triggered a growing awareness by service providers and customers alike. These threats are serious and need addressing.
One of the most common ways to fight fraudulent activities is to bind a specific computing device (e.g. laptop, smartphone, etc.) to a specific user. This can be done, for example, by device fingerprinting. However, the current growth in mobile presents a new challenge for device fingerprinting because device identification is much harder due to low uniqueness of browser related information (e.g. most iPhones use the same browser, same screen resolution, etc.). Also, it may be unreliable to rely on smartphones unique identifiers such as IMEI, MEID, MAC address, etc., as both iOS and Android platforms tend to obfuscate or deny the access to them in an effort to address user privacy issues.
Further, it may be unpredictable to rely on device tagging using cookies as these are relatively easy to steal. Currently, when a user is being authenticated a cookie is saved in the device that is used. Usually, the cookie contains two pieces of information. The first piece of information comprises a time stamp that indicates when the cookie was created and is used to verify there is no mismatch in the time of creation that is stored in a remote host. The second piece of information comprises a unique identifier key that is used to match its value with the one stored in a remote host. This approach has the disadvantage that access is approved once the key matches what is stored in the host service and the last log-in time is consistent. The approach is, therefore, vulnerable to “over the air theft” meaning that a cybercriminal can get access to an account by copying the cookie to his device.
There is, therefore, a need for further approaches for use in authentication.